Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Standard user accounts and safe browsing


  • Please log in to reply
8 replies to this topic

#1 Mesmerized

Mesmerized

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:30 PM

Posted 27 May 2009 - 02:27 AM

Hi,

Windows security center suggests that a person should surf the net using a standard user account instead of an administrative account.

What do you think about the effectiveness of this suggestion?

BC AdBot (Login to Remove)

 


#2 SnakeOnThePlane

SnakeOnThePlane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 27 May 2009 - 12:28 PM

Hi,

Windows security center suggests that a person should surf the net using a standard user account instead of an administrative account.

What do you think about the effectiveness of this suggestion?


The suggestion is extremely good, and the effectiveness of using a standard user account is arguably (and in my personal experience of some years) far greater than the use of any Antivirus product.

Most, I would say well over 95%, of all malicious software and exploits either completely fail to infect a system when the user is logged in as a standard user rather than ad admin or only succeed in infecting that standard user account instead of creating a system wide infection. Most malware requires admin privileges to succeed in doing what it does, and although more malware is coming out that can run and infect without admin rights, using a standard user account is still an excellent security measure. Indeed, it should be _the first_ security measure that all other measures are based on: limiting the rights that unknown/bad stuff have and giving the good security and system level software full rights. Your firewall, your antivirus, everything is more effective, theoretically, when they run with admin rights but the user is logged in as a standard user. This is because executable code runs with the rights of the logged in user that executes the code. If you are logged in as a standard user, any malware that runs also gets only standard user rights (assuming there isn't a rare privilege escalation or system service exploit). This means that malware running with only standard user rights cannot, for example, infect system files or terminate security programs like antivirus realtime monitors that run with admin rights, making the security software much more efficient.

You should always run as a standard user when doing anything that doesn't absolutely require an admin account. You have certainly heard how Linux and Mac OS X are said to be far more secure than Windows. One of the biggest reasons for this difference in security is the fact that Linux and OS X make people use standard user accounts, instead of admin accounts (admin on Windows is the same as Root on Unix based systems like Linux or Mac OS X, so using the OS X admin account is not the same as using the admin account in Windows).

I'm a newbie in this forum, so take my advice with a grain of salt, and Google around. Microsoft suggests using standard user accounts for a reason. It really does increase security enormously. Whereas signature based antivirus fails when it meets something new and different, standard user accounts still protect you against old and new malicious code with same effectiveness - just as long as you don't give admin rights to everything that asks for it without thinking it through. :thumbsup:

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:30 PM

Posted 27 May 2009 - 09:26 PM

Nice answer Snakes :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 SnakeOnThePlane

SnakeOnThePlane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 28 May 2009 - 01:14 AM

Nice answer Snakes :thumbsup:


Thanks :flowers: I'm used to running as a standard user, I've done it for many years and as long as I've been using NT series Windows'. Never had problems with it.

#5 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:01:30 PM

Posted 28 May 2009 - 07:03 AM

The explanation you provided helped me understand a bit more about some things on the Mac and Linux stuff (as to why some malware fails in it). There's always something new to learn. Great explanation.

Edited by scff249, 28 May 2009 - 07:03 AM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#6 SnakeOnThePlane

SnakeOnThePlane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 28 May 2009 - 09:37 AM

Some years ago I bookmarked a good site detailing some benefits of running standard user (or "limited user") accounts, and it seems to still be online. It has articles written by Microsoft software engineers among others: http://nonadmin.editme.com/WhyNonAdmin

There was a link to an article that I thought had a very good summary about why running with admin rights is bad and running with a standard user account instead is good. I will quote the article:

Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen. Let’s say you’re using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privs. If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead. But if you’re running as admin, an exploit can:
install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
install and start services
install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
access data belonging to other users
cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
replace OS and other program files with trojan horses
access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
disable/uninstall anti-virus
cover its tracks in the event log
render your machine unbootable
if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well
and lots more


I will add another example: what if you're browsing one of your frequently visited sites but it has been hacked and is now serving malware? If you were running as admin, and the malware was so new antiviruses don't yet detect it, guess what will happen... That's where running as standard user can limit the severity of the threat:
To paraphrase that quote, if you're running as a standard user, an exploit...
- cannot install kernel-mode rootkits or keyloggers to hide itself and spy on you, only user-mode malware that is much easier to detect and destroy
- cannot install or start services, or disable them
- cannot install ActiveX controls or addons
- cannot access data belonging to other accounts (so your kids on their own account cannot screw up your account and its files!)
- cannot cause code to run whenever anybody else logs on (no system wide infection of all user accounts), it can only infect the standard user account itself
- cannot replace critical OS or program files with trojan horses or other malware
- cannot disable/uninstall/terminate security software like antiviruses or firewalls
- cannot cover its track in the event log
- cannot render your machine unbootable (by deleting critical system files, for example)
- cannot gain control over the entire network

Standard user is great. :thumbsup: It isn't infallible, and there are evil things malware can do even to a standard user account, but it's many times safer than admin accounts. And it helps against human error, too: what if you or your kids accidentally delete some important system file that you need - well, you can't do that with a standard user account, as only admins can delete system files. Some software is coded so poorly it doesn't work right with standard user accounts, but those are getting rarer all the time, and personally I prefer not to use such software (if they are so poorly coded they don't work with standard user rights, who knows what security vulnerabilities they have). And some software just isn't meant to run as anything except admin, like any software that does system maintenance work: defragging, checkdisc utilities or installing software and such. For those cases, you have to log in as admin for the moment, or use Run As.

I would recommend anyone running Windows XP/Vista/7 or any modern operating system to transit to using standard user accounts for daily browsing and working, and to only use admin accounts when it is absolutely necessary. It may feel a bit awkward at first, but it's a great security benefit.

#7 Mesmerized

Mesmerized
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:30 PM

Posted 29 May 2009 - 03:28 AM

Great explanation SnakeOnThePlane :thumbsup: , I never thought that using a standard user account had so much advantages!!!

I still have a question though:

When I run Firefox for the first time using a standard user account, I discovered that the so many add-ons and themes that I had installed before were not available for this account so I run Firefox as an administrator, does this make a difference? I mean is it safer to run Firefox using my standard user account or it does not make a difference?

#8 SnakeOnThePlane

SnakeOnThePlane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 29 May 2009 - 04:35 AM

Great explanation SnakeOnThePlane :thumbsup: , I never thought that using a standard user account had so much advantages!!!

I still have a question though:

When I run Firefox for the first time using a standard user account, I discovered that the so many add-ons and themes that I had installed before were not available for this account so I run Firefox as an administrator, does this make a difference? I mean is it safer to run Firefox using my standard user account or it does not make a difference?


Running as a standard user does have a whole lot of security advantages. :flowers:


About Firefox: Yes, it does make a big difference. It is much safer to run Firefox using your new standard user account than it would be to run it under an admin account. It really goes for all software. Admin accounts and any software running in an admin account can do anything, and that's why they're so "dangerous." Firefox is a good browser, and safe, but it's even safer under a standard user account, because of the reasons mentioned in previous posts. Firefox, like any browser, has had its share of vulnerabilities, and although the Mozilla organisation patches quickly, there are also vulnerabilities that aren't in the Firefox code but can infect people using Firefox - Adobe Acrobat Reader exploits, Adobe Flash exploits, and so on. A lot of these vulnerabilities are impossible for the bad guys to exploit if you're running as a standard user.

I don't currently use Firefox (instead I use Opera, and in a standard user account of course), so I cannot be as helpful as I'd like, but... I think that in Firefox the extension and themes are installed "per user", meaning that they are installed in the user's profile folder (in XP, Documents and Settings\[user's name]\Application Data\Mozilla), so that each user can have different extensions. That is why you aren't seeing all your extensions that you had on the admin account in your standard user account. What you could do is try installing your favourite addons and themes again, using Firefox in your standard user account. To install them, just do what you did when you installed them in your admin account. https://addons.mozilla.org ahoy! That ought to work, I think. Good luck! :trumpet:

Also, a reminder: since standard user accounts cannot make system-wide changes and install software system-wide, they also cannot make software updates that are system-wide. Meaning that when a new Firefox version, or any other program, comes out, to update you should log in as admin to perform the update. Standard users cannot write to Program Files where the system-wide installations are supposed to go, so you will need to do updates as an admin. However, anything that are installed per user like Firefox extensions (I think) can be updated by a limited user, but only for that account. To some people this is a little annoying, and I admit it can be a bit boring sometimes, but it is worth it. It's like seatbelts in cars - it is kind of bothersome to always put those on, but they do help.

Edited by SnakeOnThePlane, 29 May 2009 - 04:41 AM.


#9 Mesmerized

Mesmerized
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:30 PM

Posted 29 May 2009 - 06:54 AM

I understand now, thanks for clearing it out :thumbsup:!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users